Flickr Badge

Sunday, April 10, 2005

Phishing fun with Unicode

Remember the phishing attack I had posted about before ? IE was immune to the attack because they hadn't implemented the unicode support for domain names. Well, Ned Batchelder posts about this amazing new Unicode phishing attack, which works on IE, but not on Firefox, the reason being Firefox's incomplete support for bidirectional text rendering.

Basically what the attack does is to get past spam filters by writing certain sequences of text in left to right rendering mode and certain sequences in right to left rendering mode. Since IE has good support for bidirectional text rendering, the text is properly rendered, and it fools spam filters that do not understand unicode. Very clever.

A similar attack which would work on both IE and Firefox can probably be achieved (I've not tested this) by inserting zero-width spaces (U+200B) in between letters of a word. Filters that do byte by byte string compares would not match, but because this character is not rendered, it would look like a normal word to the end user.

About Me

I am the founder of Silver Stripe Software where we develop web based SaaS products. We've developed three products - Tool For Agile suite of products for teams that follow a lean or agile process, Tour My App a product for SaaS developers to provide in-app guided tours for their users, and Sequence, a tool to take actions based on user behaviour.
I do a bit of programming, some photography once in a while and like to do some cooking at times.